ASIL decomposition

The objectives of the paper are the maximization of the system availability, the minimization of system cost, and achieving a reasonable ASIL using ASIL-decomposition. In order to make the best choice in the presence of reliahihty, safety, and cost challenges, an objective function and its constraints are defined by authors who involve the above mentioned interests. Subsequently, the optimmn value of objective function will be found using GA and pattern search methods. Adaptability of the optimization results will be finally verified by a practical approach which developed within an automotive project. 

Additionally, performing ASIL decomposition leads to economize the safety requirements level of system structure. It is assumed that all failure rates are constant and exponential distributed. Although this example is solved for a specific function of system, this approach can extended for several functions contemporaneously. 

The development and refinement of the EEA lies in the responsibility of the EE architect. The compliance of the developed system to the ISO 26262 lies in the responsibility of the safety manager. Although the EEA is not a system within the meaning of the ISO 26262, the development process of the EEA strongly correlates with the ISO 26262 [6] (part 4, chapter 7). This includes the allocation of TSRs ([6], part 4, chapter 7.4.5) to the elements of the system architecture, which are artifacts of the EEA model, the accomplishment of ASIL decomposition ([6] part 4, chapter 7.4.2.5) if adaptable and the assessment for the meeting of coexistence criteria ([6] part 4, chapter 7.4.2.3). Coexistence will be detailed in chapter 6. 

ASIL decomposition requirements - DecompositionRequirement ) with fault tolerant time are specified in Step 4. These requirements shall refer to at least one safety goal (see Tab. 4, 2M08RA). 

To lower the ASIL for certain components, ASIL decomposition (described appropriately in ISO 26262) can be applied. The necessary requirement category < ASILDecomposiUonRequirement ) has been defined as part of Step 2. In this step, the values for this category are set. The decomposed requirements have a lower ASIL for the technical realization, but the processes have to be established for the original ASIL. This is indicated by providing the original ASIL in parentheses behind the lowered one, e.g. ASIL A(D) (see Fig. 4). 

If an ASIL A (ASIL A(D)) function is part of an ASIL-Decomposition of ASIL D function, the signal chain also for the implementation in ASIL A have to be quantified. If all possible failures of an ASIL B function have a safety mechanism... 

Measures or implemented safety mechanisms cost money, resources and development time, which are always difficult to be aware of, if it is not planned ahead of the development of an entire system. It is even more difficult if such components are run in ASIL decomposition. In this case there may be three parties involved, which have to come to an agreement for the failure control, the redundant parts and most likely a common element such as voter, comparator or similar. 

If an ASIL decomposition (see Fig. 4. 58) would consist of these two sensor chains (S1 and S2) as weU as the electronic control unit (ECU), all errors (MFxx, malfunction) would need to be sufihciently controlled according to ASIL. 

It is important, that the planning of the analyses and verifications considers this and also effectively plans appropriate process locking similar to the production process also for the development process. This is especially evident for the planning of dissimilar or divers functions for example for an ASIL decomposition. If one algorithm is developed in Australia and one in Scandinavia it does not indicate... 

In addition, it is the author s recommendation to perform at least a qualitative (or just illustrative) Fault Tree Analysis [10] going down the hazards, in order to check with all relevant experts how they could arise (based on the functional system architecture) and to show where reference is made to redundant elements, which require special considerations to prove their independence. ASIL decomposition can be better justified using a Fault Tree. 

Requirements decomposition with respect to ASIL taHorlng 9-7 Analysis of dependent failures... 

It is possible to lower the ASIL assigned to SGOl. The following decomposition of ASIL D was chosen ... 

The functional concept may be based on the block diagram. All signals are read in with ASIL B and use the dependencies of the system function groups (logical elements) for plausibility checks to implement the decomposition or safety mechanisms. To control the throttle valve and the pressure injection we use current read... 

The intended function (in QM) and the monitoring function (in ASIL C) require two sufiiciently independent software implementations for example two partitions in a microcontroller. The realization paths to the ASIL B sensor signals (including the sensor itself) can be realized in ASIL B. In anticipation of the technical realization the calculation for the set position of the pressure regulator and the throttle valve will also be separated. This could lead to a reduction of ASlLs or at this point decomposition could already be included. However, the advantages and disadvantages should be questioned with regards to the application effort. 

The constraints are based on the ASIL level therefore the ASIL level determines the effort to be applied. However, rules of level decomposition are given subject to adequate independence justifications (see Figure 9.27) or studies of criticality (see Tables 9.2 and 9.3). 

Moreover, the possibility of decomposition of the ASIL level using the principle of diversified redundancy is important in order to put less constraint on the process methods and tools for hardware and software design as well as validation activities. 

---